Keeping tabs on federal government efforts to protect citizens' privacy

RSA CTO Speaks of APT, Before Attack

RSA executives haven't been commenting publicly since the security solutions vendor revealed last week it had been victimized by a sophisticated cyberattack aimed at its SecurID two-factor authentication product (see RSA Says Hackers Take Aim At Its SecurID Products).

But weeks before the hack, I spoke with RSA Chief Technology Officer Bret Hartman about advanced persistent threats, the type of sinister assault RSA experienced (see Tracking Bad Guys Who Enter IT Systems).

The bad guys are smart ... but with a destructive mindset. This is war and you'll see more of it.

Hartman characterized APT as insidious and very hard to detect, with the malware hiding before attacking. "It is not like something that just blasts through the front door and deletes your hard drive or attempts to," he said. "It is very, very pernicious and very narrowly focused."

Hartman's comments foreshadowed the dilemma RSA now faces, though he wasn't necessarily addressing his company's IT systems. Among APT's challenges, he said, is recognizing the lack of effectiveness of countermeasures put in place to prevent such assaults. "The fact that the complexity of the stack is so great, so much code, it is impossible to get rid of every last vulnerability that exists in that stack; we just see it over and over again," he said. "As long as people keep writing code and making patches and making multi-million line application stacks, there will be vulnerabilities and some small percentage of APT will get through."

Later in our conversation, I asked Hartman about a shift in thinking among some IT experts in which they accept as a fact of life that intruders will get into their systems and they have to deal with the incursion from within. One approach, he said, is to closely monitor behavior once they pass through the initial authentication check.

"Constantly look at how they behave ... to determine do I trust this person? Are they starting to do something that is maybe a little wacky that maybe I don't trust them as much as I did five minutes ago? That notion of managing risk and looking at behavior makes it perhaps more acceptable to say, 'Okay, we have bad guys that might be in the system, but at least we're watching them every minute and hopefully detecting them before they do anything too bad.' That's a good change."

But Hartman suggested that monitoring behavior, and identifying the bad guys in an APT exploitation, is easier said than done. "The fact is that when you move to that exploitation, chances are that's going to a look whole lot like typical application access," he said. "If it is an exploitation - say we're talking about moving money or accessing somebody's patient record - it may not be that much different than what a human being would do. But part of the trick in an APT is to, I think, being able to tie different sources of evidence up and down the stack together to have a higher degree of confidence that this is truly exploitation and not just something that a typical user is doing."

Competitors Pounce

Competitors - direct and indirect - are making the most of RSA's woes to promote their own wares.

Equifax's Anakam Identity Services has sent information to customers to reassure them of its security solution. "We are also reaching out to customers directly and taking calls from customers and prospects with questions," says Sally Ewalt, Anakam marketing director.

What is Anakam telling customers about the RSA breach? "Of course, she says, "we don't yet know exactly what happened in the SecurID breach." But, Anakam points out the differences between the two products: unlike SecurID, Anakam solution is tokenless. Why point that out? "Many people are pointing to the potential theft of (RSA) token seeds," Ewalt says.

Solera Networks doesn't market two-factor authentication wares, but does provide forensic products that SecurID customers could use to determine with "some confidence what was and was not compromised," according to a press advisory soliciting media interviews with company CEO Steve Shillingford "Breaches do occur and will continue. Next generation threats - APTs - are being specifically architected to subvert installed security defenses. Knowing the full extent of a breach is key to appropriately dealing with it."

Game Changer

Sanjay Kalra is managing partner of Information Security Media Group, publisher of this site, and a seasoned IT security practitioner. I was chatting with him the other day, when he made some insightful observations about the RSA breach:

"It will be a big deal. In the past, we have seen the bad guys going after the corporations - the banks, payment processors, healthcare organization and the government agencies. In some ways, all that bad news helped these security vendors. This is the first time we are seeing where security vendors are being attacked. Almost all of these companies - be it RSA, CA, IBM, etc., have extremely smart technologists on board who design these systems. The bad guys are smart as well, but with a destructive mindset. This is war and you'll see more of it."

As Kalra further reflected on the hack, he added: "None of these bad guys have PhDs from MIT and Stanford. The researchers at these security vendors do. With this breach, these folks have raised the stakes here. By breaking into this company - one of the oldest and one of the most respected in the security space - they have earned the bragging rights they aspire for."